From 749c7bd9adc37d4e1cfc4d2a570fdcde0e20c3c8 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@anytun.org>
Date: Tue, 6 Jan 2009 01:30:00 +0000
Subject: some cleanup added option for passphrase enabled option for kd-prf

---
 src/key_derivation.c | 35 ++++++++++++++++++++++++++++++-----
 src/key_derivation.h |  7 +++++--
 src/options.c        | 37 ++++++++++++++++++++++++++++---------
 src/options.h        |  1 +
 src/uanytun.c        | 20 +++++++++++++-------
 5 files changed, 77 insertions(+), 23 deletions(-)

(limited to 'src')

diff --git a/src/key_derivation.c b/src/key_derivation.c
index af3228d..9f16467 100644
--- a/src/key_derivation.c
+++ b/src/key_derivation.c
@@ -41,16 +41,28 @@
 #include <stdlib.h>
 #include <string.h>
 
-int key_derivation_init(key_derivation_t* kd, const char* type, int8_t ld_kdr, u_int8_t* key, u_int32_t key_len, u_int8_t* salt, u_int32_t salt_len)
+int key_derivation_init(key_derivation_t* kd, const char* type, int8_t ld_kdr, const char* passphrase, u_int8_t* key, u_int32_t key_len, u_int8_t* salt, u_int32_t salt_len)
 {
   if(!kd) 
     return -1;
 
+  kd->key_length_ = 0;
+
   kd->type_ = kd_unknown;
   if(!strcmp(type, "null"))
     kd->type_ = kd_null;
-  else if(!strcmp(type, "aes-ctr"))
+  else if(!strncmp(type, "aes-ctr", 7)) {
     kd->type_ = kd_aes_ctr;
+    if(type[7] == 0) {
+      kd->key_length_ = KD_AESCTR_DEFAULT_KEY_LENGTH;
+    }
+    else if(type[7] != '-') 
+      return -1;
+    else {
+      const char* tmp = &type[8];
+      kd->key_length_ = atoi(tmp);
+    }
+  }
   else {
     log_printf(ERR, "unknown key derivation type");
     return -1;
@@ -60,7 +72,6 @@ int key_derivation_init(key_derivation_t* kd, const char* type, int8_t ld_kdr, u
   if(ld_kdr > (int8_t)(sizeof(seq_nr_t) * 8))
     kd->ld_kdr_ = sizeof(seq_nr_t) * 8;
 
-  kd->key_length_ = key_len * sizeof(key[0]) * 8;
   kd->params_ = NULL;
 
   int i;
@@ -99,7 +110,7 @@ int key_derivation_init(key_derivation_t* kd, const char* type, int8_t ld_kdr, u
 
   int ret = 0;
   if(kd->type_ == kd_aes_ctr)
-    ret = key_derivation_aesctr_init(kd);
+    ret = key_derivation_aesctr_init(kd, passphrase);
 
   if(ret)
     key_derivation_close(kd);
@@ -107,6 +118,18 @@ int key_derivation_init(key_derivation_t* kd, const char* type, int8_t ld_kdr, u
   return ret;
 }
 
+int key_derivation_generate_master_key(key_derivation_t* kd, const char* passphrase, u_int16_t key_length)
+{
+
+  return 0;
+}
+
+int key_derivation_generate_master_salt(key_derivation_t* kd, const char* passphrase, u_int16_t salt_length)
+{
+
+  return 0;
+}
+
 void key_derivation_close(key_derivation_t* kd)
 {
   if(!kd)
@@ -159,7 +182,7 @@ int key_derivation_null_generate(u_int8_t* key, u_int32_t len)
 
 /* ---------------- AES-Ctr Key Derivation ---------------- */
 
-int key_derivation_aesctr_init(key_derivation_t* kd)
+int key_derivation_aesctr_init(key_derivation_t* kd, const char* passphrase)
 {
   if(!kd)
     return -1;
@@ -173,6 +196,8 @@ int key_derivation_aesctr_init(key_derivation_t* kd)
   key_derivation_aesctr_param_t* params = kd->params_;
 
 #ifndef USE_SSL_CRYPTO
+  params->handle_ = 0;
+
   int algo;
   switch(kd->key_length_) {
   case 128: algo = GCRY_CIPHER_AES128; break;
diff --git a/src/key_derivation.h b/src/key_derivation.h
index 2f1bfb5..d045527 100644
--- a/src/key_derivation.h
+++ b/src/key_derivation.h
@@ -69,13 +69,16 @@ struct key_derivation_struct {
 };
 typedef struct key_derivation_struct key_derivation_t;
 
-int key_derivation_init(key_derivation_t* kd, const char* type, int8_t ld_kdr, u_int8_t* key, u_int32_t key_len, u_int8_t* salt, u_int32_t salt_len);
+int key_derivation_init(key_derivation_t* kd, const char* type, int8_t ld_kdr, const char* passphrase, u_int8_t* key, u_int32_t key_len, u_int8_t* salt, u_int32_t salt_len);
+int key_derivation_generate_master_key(key_derivation_t* kd, const char* passphrase, u_int16_t key_length);
+int key_derivation_generate_master_salt(key_derivation_t* kd, const char* passphrase, u_int16_t salt_length);
 void key_derivation_close(key_derivation_t* kd);
 int key_derivation_generate(key_derivation_t* kd, satp_prf_label_t label, seq_nr_t seq_nr, u_int8_t* key, u_int32_t len);
 
 int key_derivation_null_generate(u_int8_t* key, u_int32_t len);
 
 
+#define KD_AESCTR_DEFAULT_KEY_LENGTH 128
 #define KD_AESCTR_CTR_LENGTH 16
 #define KD_AESCTR_SALT_LENGTH 14
 
@@ -115,7 +118,7 @@ struct key_derivation_aesctr_param_struct {
 };
 typedef struct key_derivation_aesctr_param_struct key_derivation_aesctr_param_t;
 
-int key_derivation_aesctr_init(key_derivation_t* kd);
+int key_derivation_aesctr_init(key_derivation_t* kd, const char* passphrase);
 void key_derivation_aesctr_close(key_derivation_t* kd);
 int key_derivation_aesctr_calc_ctr(key_derivation_t* kd, seq_nr_t* r, satp_prf_label_t label, seq_nr_t seq_nr);
 int key_derivation_aesctr_generate(key_derivation_t* kd, satp_prf_label_t label, seq_nr_t seq_nr, u_int8_t* key, u_int32_t len);
diff --git a/src/options.c b/src/options.c
index ae5d264..31dc498 100644
--- a/src/options.c
+++ b/src/options.c
@@ -40,6 +40,8 @@
 #include <stdio.h>
 #include <string.h>
 
+#include "log.h"
+
 #define PARSE_BOOL_PARAM(SHORT, LONG, VALUE)             \
     else if(!strcmp(str,SHORT) || !strcmp(str,LONG))     \
       VALUE = 1;
@@ -71,6 +73,22 @@
       i++;                                               \
     }
 
+#define PARSE_STRING_PARAM_SEC(SHORT, LONG, VALUE)       \
+    else if(!strcmp(str,SHORT) || !strcmp(str,LONG))     \
+    {                                                    \
+      if(argc < 1 || argv[i+1][0] == '-')                \
+        return i;                                        \
+      if(VALUE) free(VALUE);                             \
+      VALUE = strdup(argv[i+1]);                         \
+      if(!VALUE)                                         \
+        return -2;                                       \
+      size_t j;                                          \
+      for(j=0; j < strlen(argv[i+1]); ++j)               \
+        argv[i+1][j] = '#';                              \
+      argc--;                                            \
+      i++;                                               \
+    }
+
 #define PARSE_STRING_PARAM2(SHORT, LONG, VALUE1, VALUE2) \
     else if(!strcmp(str,SHORT) || !strcmp(str,LONG))     \
     {                                                    \
@@ -174,11 +192,12 @@ int options_parse(options_t* opt, int argc, char* argv[])
     PARSE_INT_PARAM("-s","--sender-id", opt->sender_id_)
     PARSE_INT_PARAM("-m","--mux", opt->mux_)
     PARSE_INT_PARAM("-w","--window-size", opt->seq_window_size_)
-    PARSE_STRING_PARAM("-c","--cipher", opt->cipher_)
 #ifndef NO_CRYPT
+    PARSE_STRING_PARAM("-c","--cipher", opt->cipher_)
     PARSE_STRING_PARAM("-k","--kd-prf", opt->kd_prf_)
     PARSE_INT_PARAM("-l","--ld-kdr", opt->ld_kdr_)
     PARSE_STRING_PARAM("-a","--auth-algo", opt->auth_algo_)
+    PARSE_STRING_PARAM_SEC("-E","--passphrase", opt->passphrase_)
     PARSE_HEXSTRING_PARAM_SEC("-K","--key", opt->key_)
     PARSE_HEXSTRING_PARAM_SEC("-A","--salt", opt->salt_)
 #endif
@@ -187,14 +206,9 @@ int options_parse(options_t* opt, int argc, char* argv[])
   }
 
 #ifndef NO_CRYPT
-  if(!strcmp(opt->cipher_, "null") && !strcmp(opt->auth_algo_, "null")) {
-    if(opt->kd_prf_) free(opt->kd_prf_);
-    opt->kd_prf_ = strdup("null");
-  }
   if((strcmp(opt->cipher_, "null") || strcmp(opt->auth_algo_, "null")) && 
      !strcmp(opt->kd_prf_, "null")) {
-    if(opt->kd_prf_) free(opt->kd_prf_);
-    opt->kd_prf_ = strdup("aes-ctr");
+    log_printf(WARNING, "using NULL key derivation with encryption and or authentication enabled!");
   }
 #endif
 
@@ -231,6 +245,7 @@ void options_default(options_t* opt)
   opt->kd_prf_ = strdup("aes-ctr");
   opt->ld_kdr_ = 0;
   opt->auth_algo_ = strdup("sha1");
+  opt->passphrase_ = NULL;
 #else
   opt->cipher_ = strdup("null");
 #endif
@@ -279,6 +294,8 @@ void options_clear(options_t* opt)
     free(opt->kd_prf_);
   if(opt->auth_algo_)
     free(opt->auth_algo_);
+  if(opt->passphrase_)
+    free(opt->passphrase_);
 #endif
   if(opt->key_.buf_)
     free(opt->key_.buf_);
@@ -308,11 +325,12 @@ void options_print_usage()
   printf("        [-s|--sender-id ] <sender id>       the sender id to use\n");
   printf("        [-w|--window-size] <window size>    seqence number window size\n");
   printf("        [-m|--mux] <mux-id>                 the multiplex id to use\n");
-  printf("        [-c|--cipher] <cipher type>         payload encryption algorithm\n");
 #ifndef NO_CRYPT
+  printf("        [-c|--cipher] <cipher type>         payload encryption algorithm\n");
   printf("        [-a|--auth-algo] <algo type>        message authentication algorithm\n");
-//  printf("        [-k|--kd-prf] <kd-prf type>         key derivation pseudo random function\n");
+  printf("        [-k|--kd-prf] <kd-prf type>         key derivation pseudo random function\n");
   printf("        [-l|--ld-kdr] <ld-kdr>              log2 of key derivation rate\n");
+  printf("        [-E|--passphrase <pass phrase>      a passprhase to generate master key and salt from\n");
   printf("        [-K|--key] <master key>             master key to use for encryption\n");
   printf("        [-A|--salt] <master salt>           master salt to use for encryption\n");
 #endif
@@ -343,6 +361,7 @@ void options_print(options_t* opt)
   printf("auth_algo: '%s'\n", opt->auth_algo_);
   printf("kd_prf: '%s'\n", opt->kd_prf_);
   printf("ld_kdr: %d\n", opt->ld_kdr_);
+  printf("passphrase: '%s'\n", opt->passphrase_);
 #endif
 
   u_int32_t i;
diff --git a/src/options.h b/src/options.h
index 8808e63..ce8f3fc 100644
--- a/src/options.h
+++ b/src/options.h
@@ -58,6 +58,7 @@ struct options_struct {
   char* kd_prf_;
   int ld_kdr_;
   char* auth_algo_;
+  char* passphrase_;
 #endif
   mux_t mux_;
   buffer_t key_;
diff --git a/src/uanytun.c b/src/uanytun.c
index b33ff43..051886a 100644
--- a/src/uanytun.c
+++ b/src/uanytun.c
@@ -95,7 +95,6 @@ int init_libgcrypt()
 
 int main_loop(tun_device_t* dev, udp_socket_t* sock, options_t* opt)
 {
-  int return_value = 0;
   log_printf(INFO, "entering main loop");
 
   plain_packet_t plain_packet;
@@ -111,7 +110,7 @@ int main_loop(tun_device_t* dev, udp_socket_t* sock, options_t* opt)
   int ret = cipher_init(&c, opt->cipher_);
   if(ret) {
     log_printf(ERR, "could not initialize cipher of type %s", opt->cipher_);
-    return_value = ret;
+    return ret;
   }
   
 #ifndef NO_CRYPT
@@ -119,26 +118,33 @@ int main_loop(tun_device_t* dev, udp_socket_t* sock, options_t* opt)
   ret = auth_algo_init(&aa, opt->auth_algo_);
   if(ret) {
     log_printf(ERR, "could not initialize auth algo of type %s", opt->auth_algo_);
-    return_value = ret;
+    cipher_close(&c);
+    return ret;
   }
 
   key_derivation_t kd_in;
-  ret = key_derivation_init(&kd_in, opt->kd_prf_, opt->ld_kdr_, opt->key_.buf_, opt->key_.length_, opt->salt_.buf_, opt->salt_.length_);
+  ret = key_derivation_init(&kd_in, opt->kd_prf_, opt->ld_kdr_, opt->passphrase_, opt->key_.buf_, opt->key_.length_, opt->salt_.buf_, opt->salt_.length_);
   if(ret) {
     log_printf(ERR, "could not initialize inbound key derivation of type %s", opt->kd_prf_);
-    return_value = ret;
+    cipher_close(&c);
+    auth_algo_close(&aa);
+    return ret;
   }
 
   key_derivation_t kd_out;
-  ret = key_derivation_init(&kd_out, opt->kd_prf_, opt->ld_kdr_, opt->key_.buf_, opt->key_.length_, opt->salt_.buf_, opt->salt_.length_);
+  ret = key_derivation_init(&kd_out, opt->kd_prf_, opt->ld_kdr_, opt->passphrase_, opt->key_.buf_, opt->key_.length_, opt->salt_.buf_, opt->salt_.length_);
   if(ret) {
     log_printf(ERR, "could not initialize outbound key derivation of type %s", opt->kd_prf_);
-    return_value = ret;
+    cipher_close(&c);
+    auth_algo_close(&aa);
+    key_derivation_close(&kd_in);
+    return ret;
   }
 #else
   key_derivation_t kd_in, kd_out;
 #endif
 
+  int return_value = 0;
   seq_win_t seq_win;
   ret = seq_win_init(&seq_win, opt->seq_window_size_);
   if(ret) {
-- 
cgit v1.2.3